Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

What are the 7 principles of GDPR

What are the 7 principles of GDPR

The General Data Protection Regulation (GDPR) prescribes seven principles that create the backbone of any compliance program, and as an organization, you are obligated to comply with them as described in Article 5.

They ensure the fair and lawful processing of personal data while safeguarding individuals’ rights, fostering transparency, and promoting accountability among organizations handling such information.

These principles collectively establish a robust framework for data protection in the ever-evolving digital landscape.

seven principles of GDPR

We will go over each of the seven principles of the GDPR. However, we encourage you to explore the links since the topic is very broad, and links will provide more in-depth information.

1. Lawfulness, fairness, and transparency principle

When you look at the meaning of the words lawfulness, fairness, and transparency, you can get a pretty good idea of how you should conduct personal data processing, as GDPR states:Lawfulnes, fairness and transparency GDPR principle
Your processing should be based on the law, within the lines of what you explained to the individual, and you should provide clear notice about processing. However, what precisely does the principle encircle?


In the concept of the GDPR, lawfulness is related to two things; choosing a proper lawful basis for processing personal data and avoiding illegal activities when processing personal data.

Before processing personal data, you should always identify grounds for the processing. There are six different lawful bases for processing personal data:

1. Consent- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

2. Contract – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

3. Legal obligation – processing is necessary for compliance with a legal obligation to which the controller is subject;

4. Protection of vital interest – processing is necessary in order to protect the vital interests of the data subject or of another natural person;

5. Public task- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

6. Legitimate interest  -processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

You will have to base your processing on one of those six grounds, picking which one will depend on your relationship with the individual and the circumstances of the processing. If you cannot apply any lawful basis on your processing activity, then the processing is unlawful.


Fairness means that you will process personal data only in a way that is reasonably expected from you. You shouldn’t misuse personal data or process them in any way that would negatively affect an individual.

Collecting, storing, and processing personal data that was collected in a deceiving way or by misleading the individual will lead to a breach of the fairness principle.


The transparency principle requires clear, open, and honest communication with individuals about how their personal data is being used. It is important to notify individuals about the information you use about them, whether you obtained that information from them directly or from another source.

“The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.” Recital 39

The point of transparent processing is to enable individuals to exercise their rights under the GDPR if they wish.

In recent years there has been a greater emphasis on transparency, especially from the customer’s point of view. Many companies have seen this as an opportunity to create a competitive advantage by being open and transparent with individuals.

58% of customers would be comfortable with relevant personal information being used in a transparent and beneficial manner

In recent research, 63% of customers stated most companies aren’t transparent about how their data is used. However, 58% of customers would be comfortable with relevant personal information being used in a transparent and beneficial manner.

2. Purpose limitation principle

Purpose limitation simply means that you need to be clear from the start about why you are collecting and processing personal data and your intention behind it.

“Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, under Article 89(1), not be considered to be incompatible with the initial purposes.” GDPR Article 5(1)(b)GDPR principle purpose limitationYou can only use personal data for the purpose you have collected it in the first place. Any additional processing has to be compatible with your original purpose, or you can always obtain consent from an individual.

If you are trying to define whether your new purpose is compatible with the old one, you can ask yourself:

  • Is your new purpose very different from your original purpose?
  • Would additional processing have a negative impact on individuals?
  • Is a new purpose completely disconnected from the original purpose?
  • Is a new purpose unexpected?

If you find yourself answering any of those questions with a yes, you will probably need to ask for a new consent.

3. Data minimization principle

The data minimization principle limits the data controller to collect, store, process and use only personal information that is necessary to provide the required service or fulfill a specific purpose. GDPR- data minimization principleThis means you will have to identify what is the minimal amount of data you need to fulfill the purpose of why you even collected personal data in the first place. Simply put, collect only the minimum data that you need.

For example, if you have a newsletter subscription, it is unnecessary to collect anything other than an e-mail address and possibly a first name (if you want to provide a personalized experience for your subscribers).

If you want to make sure you are collecting a minimal amount of data, ask yourself:

  • Can you achieve the purpose without collecting the data?
  • Is your data collection limited to information that is strictly necessary for you to provide your service or fulfill a purpose?

4. Accuracy principle

The accuracy principle indicates you are responsible for taking all reasonable measures to ensure that the personal data you hold is correct and accurate.

“Personal data shall be: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).” GDPR Article 5(1)(d)

GDPR principles- accuracy principle

The intention behind the accuracy principle is to encourage you to keep only relevant data and update and maintain personal data that you are processing on a regular basis.

Therefore, you will have to conduct periodic accuracy checks and implement policies or procedures that will help you update personal data if necessary. The best way to do this is to identify how often you need to update data to fulfill the purpose you wanted to achieve in the first place.

Following this principle can actually help you get rid of all unnecessary, incorrect, and irrelevant data and help you get a clearer picture of the relevance of the personal data you are processing.

Bear in mind that data subjects can exercise their right to rectification, which is directly linked to the accuracy principle. The right to rectification grants an individual a right to demand inaccurate personal data to be erased, rectified or altered.

5. Storage limitation principle

The storage limitation principle prevents you from keeping personal data for longer than you need it.7 principles of GDPR- storage limitation principle For every personal data that you are processing, you will have to be able to justify why you are keeping it. Setting up data retention and data deletion schedules can help you comply with the storage limitation principle.

You can find out more details about how long you should keep personal data in our blog, where we talked about how to define data retention periods, where to begin in the process, what are the benefits of defining proper data retention periods, what you should do with the data you no longer need, and more…

Storage limitation principle -How long should you keep personal data?

6. Integrity and confidentiality principle

Integrity and confidentiality principle is often referred to as a security principle and entails the implementation of appropriate technical and organizational measures to ensure you prevent any intentional or unintentional risks, unauthorized third-party access or malicious attacks, and exploitation of data.7 principles of GDPR integrity and confidentiality principle As you can notice, this principle is tightly connected with information security, but it not only refers to taking measures against malicious attacks and data breaches, but it also includes organizational measures that you can implement to secure personal data.

7. Accountability principle

Last but not least, the accountability principle means you (as a data controller or organization) are responsible for compliance with all of the above-mentioned GDPR principles, and most importantly you are responsible for demonstrating compliance if necessary.

This means you should document every step of your compliance journey and provide evidence of the steps you have taken so far, and might include:

  • Documentation of processing activities
  • Implementation of technical and organizational measures
  • Implementation of data protection policies
  • Data protection impact assessments (if you had to conduct one)
  • Appointment of a DPO

If you are documenting all this in different systems, in different ways, for different departments, including various people in the process, or you are documenting processing activities manually, in Excel, in the long run, this may cause serious problems. If that is the case, you might consider automating the processes.

GDPR principle- Accpuntability 68% of respondents rated systems and technology as very effective for data privacy compliance68% of respondents rated systems and technology as very effective for data privacy compliance in a recent study by FTI Consulting

Why are the 7 principles of GDPR important?

It is very easy to overlook these 7 GDPR principles and focus on more specific parts of the GDPR since principles don’t set strict rules. However, 7 GDPR principles represent the main building blocks and set the tone for the rest of the Regulation.

Principles should be intertwined and implemented in every aspect of your compliance journey. This is why any violation of GDPR principles will set off the highest administrative fines up to €20 million or 4% of your total worldwide annual turnover, whichever is higher.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top